Group Policy, Profiles,
and IntelliMirror
for Windows® 2003,
Windows® XP,
and Windows® 2000
Jeremy Moskowitz
SVBEX" San Francisco LondonTable of Contents
Introduction xviii
Chapter 1 Group Policy Essentials 1
Getting Started with Group Policy 1 Understanding Local Group Policy 2 Group Policy Entities and Policy Settings 4 Active Directory-Based Group Policy 5 An Example of Group Policy Application 8 Examining the Resultant Set of Policy 9 At the Site Level 10 At the Domain Level 10 At the OU Level 10 Group Policy, Active Directory, and the GPMC 12 Kickin' It Old-School 12 GPMC Overview 15 Installing the GPMC 15 Using the GPMC in Active Directory 20 Active Directory Users and Computers versus GPMC 20 Adjusting the View within the GPMC 22 The GPMC-centric view 23 Our Own Group Policy Examples 25
More about Linking and the Group Policy
Objects Container 26 Applying Group Policy Object to the Site Level 29 Applying Group Policy Objects to the Domain Level 31 Applying Group Policy Objects to the OU Level 34 Testing Your Delegation of Group Policy Management 39 Understanding Group Policy Object Linking Delegation 40 Granting OU Admins Access to Create New Group
Policy Objects 41 Creating and Linking Group Policy Objects at the
OU Level 42 Creating a New Group Policy Object in an OU 45 Moving Computers into the Human Resources
Computers OU 47 Verifying Your Cumulative Changes 48 Things That Aren't Group Policy but Look Like Group Policy 50 Terminal Services 50 Routing and Remote Access 50 Final Thoughts 51
Table of Contents
Chapter 2 Managing Group Policy with the GPMC 53
Common Procedures with the GPMC 53 Minimizing the View with Policy Setting Filtering 55 Raising or Lowering the Precedence of Multiple
Group Policy Objects 57 Understanding GPMC's Link Warning 59 Stopping Group Policy Objects from Applying 60 Block Inheritance 65 The Enforced Function 66 Advanced Security and Delegation with the GPMC 68 Filtering Group Policy Objects 69 Granting User Permissions upon an Existing Group
Policy Object 77 Granting Group Policy Object Creation Rights
in the Domain 78 Special Group Policy Operation Delegations 79 Who Can Create and Use WMI Filters? 81 Performing RSoP Calculations with
the GPMC 83 What's-Going-On Calculations with Group
Policy Results 84 What-If Calculations with Group Policy Modeling 87 Backing Up and Restoring Group
Policy Objects 90 Backing Up Group Policy Objects 90 Restoring Group Policy Objects 92 Backing Up and Restoring WMI Filters 94 Searching for Group Policy Objects with the GPMC 95 GPMC At-a-Glance Icon View 96 The GPMC At-a-Glance Compatibility Table 97 Final Thoughts 98
Chapter 3 Group Policy Processing Behavior 101
Group Policy Processing Principles 101 Initial Policy Processing 103 Background Refresh Policy Processing 104 Security Background Refresh Processing 112 Special Case: Moving a User or a Computer Object 117 Policy Application via Remote Access or Slow Links 118 Using Group Policy to Affect Group Policy 120 Affecting the User Settings of Group Policy 120 Affecting the Computer Settings of Group Policy 122 Group Policy Loopback Processing 130
Table of Contents X I
Reviewing Normal Group Policy Processing 130 Group Policy Loopback—Merge Mode 131 Group Policy Loopback—Replace Mode 131 Group Policy with Cross-Forest Trusts 137
What Happens When Logging on to Different
Clients Across a Cross-Forest Trust? 139 Disabling Loopback Processing When Using
Cross-Forest Trusts 141 Cross-Forest Trust Client Matrix 142 Understanding Cross-Forest Trust Permissions 143 Intermixing Group Policy and NT 4 System Policy 145 Final Thoughts 147
Chapter 4 Troubleshooting Group Policy 149
Under the Hood of Group Policy 150 Inside Local Group Policy 150 Inside Active Directory Group Policy Objects 151 The Birth, Life, and Death of a GPO 155 How Group Policy Objects Are "Born" 155 How a GPO "Lives" 156 Death of a GPO 173 How Client Systems Get Group Policy Objects 173 Client-Side Extensions 174 Where Are Administrative Templates
Registry Settings Stored? 177 Why Isn't Group Policy Applying? 179 Reviewing the Basics 179 Advanced Inspection 181 Client-Side Troubleshooting 189 RSoP for Windows 2000 189 RSoP for Windows 2003 and Windows XP 190 Advanced Group Policy Troubleshooting with Log Files 200 Using the Event Viewer 200 Diagnostic Event Log Registry Hacks 201 Turning On Verbose Logging 201 Final Thoughts 204
Chapter 5 Windows A D M Templates 207
Policies versus Preferences 208 Typical ADM Templates 209 Default ADM Templates 210 Vendor-Supplied ADM Templates 211 Creating Your Own Custom ADM Changes 219
xii Table of Contents
Creating Your Own Custom ADM Template 220 Viewing Old-Style Preferences 221 Managing Windows ADM Templates 223
How Do You Currently Manage Your Group
Policy Objects? 224 ADM Template Behavior ' 225 ADM Template Management Best Practice 227 Create a Windows XP Management Workstation 227 Throttling an Automatic ADM Template Upgrade 228 Cracking the ADM Files 230 Final Thoughts 231
Chapter 6 Implementing Security with Group Policy 233
The Two Default Group Policy Objects 233 GPOs Linked at the Domain Level 234 Group Policy Objects Linked to the Domain
Controllers OU 238 Oops, the "Default Domain Policy" GPO and/or
"Default Domain Controllers Policy" GPO Got
Screwed Up! 240 Understanding Local and Effective Security Permissions 241 The Strange Life of Password Policy 243 Auditing with Group Policy 244 Auditing Group Policy Object Changes 248 Auditing File Access 251 Logon, Logoff, Startup, and Shutdown Scripts 252 Startup and Shutdown Scripts 253 Logon and Logoff Scripts 254 Internet Explorer Maintenance Policies 255 Wireless Network (802.11) Policies 256 Restricted Groups 256 Strictly Controlling Active Directory Groups 257 Strictly Controlling Local Group Membership 259 Strictly Applying Group Nesting 260 Which Groups Can Go into Which Other Groups
Via Restricted Groups? 261 Software Restriction Policy 261 Software Restriction Policies' "Philosophies" 262 Software Restriction Policies' Rules 263 Securing Workstations with Templates 271 Security Templates 272 Your Own Security Templates 276 The Security Configuration and Analysis Snap-In 280 Applying Security Templates with Group Policy 287
Table of Contents xiii
Final Thoughts
What I Didn't Cover Even More Resources
Designing versus Implementing
Chapter 7 Scripting GPMC Operations
Getting Started with GPMC Scripting GPMC Scripting Caveats
Scripting References Scripting Tools
Setting the Stage for Your GPMC Scripts Initial GMPC Script Requirements
Obtaining Domain DNS Names Automatically Obtaining Basic Domain and Site Information Creating Simple GPMC Scripts
Automating Routine Group Policy Operations Documenting GPO Links and WMI Filter Links Documenting GPO Settings
Creating and Linking New GPOs Backing Up GPOs
Restoring GPOs Importing GPOs
Changing GPO Permissions Forcing a Group Policy Object Refresh
Enabling Remote Scripting
Scripting the Forced Background Refresh Using the Included GPMC Scripts from Microsoft Final Thoughts
Chapter 8 Profiles: Local, Roaming, and Mandatory
What Is a User Profile? The NTUSER.DAT File Profile Folders
The Default Local User Profile The Default Domain User Profile Roaming Profiles
Setting Up Roaming Profiles Testing Roaming Profiles
Migrating Local Profiles to Roaming Profiles Roaming and Nonroaming Folders
Windows XP and Windows 2003 Profile Changes Affecting Roaming Profiles with Computer Group
Policy Settings 288 289 289 289 291 292 292 292 293 294 295 297 298 299 303 303 308 310 312 314 318 319 326 326 327 328 329 331 331 332 333 334 338 339 340 344 346 347 348 351
xiv Table of Contents
Affecting Roaming Profiles with User Group
Policy Settings 357 Mandatory Profiles 362 Establishing Mandatory Profiles from a Local Profile 363 Mandatory Profiles from an Established Roaming Profile 365 Forced Mandatory Profiles (Super-Mandatory) 366 Final Thoughts 368
Chapter 9 IntelliMirror, Part 1: Redirected Folders, Offline Files, Synchronization Manager, and
Disk Quotas 369
Overview of Change and Configuration Management
and IntelliMirror 369 Redirected Folders 371 Redirected My Documents 372 Redirecting the Start Menu and the Desktop 384 Redirecting the Application Data 385 Troubleshooting Redirected Folders 386 Offline Files and the Synchronization Manager 388 Offline Files Basics 388 Synchronization Manager Basics 389 Making Offline Files Available 390 Client Configuration of Offline Folders 394 The "Do Nothing" Approach 394 Running Around to Each Client to Tweak Offline
Files and the Synchronization Manager 399 Offline Files and Synchronization Manager Interaction 404 Using Folder Redirection and Offline Files over Slow Links 405
Synchronizing over Slow Links with Redirected
My Documents 406 Synchronizing over Slow Links with Public Shares 406 Using Group Policy to Configure Offline Files
(User and Computer Node) 410 Prohibit User Configuration of Offline Files 411 Synchronize All Offline Files When Logging On 411 Synchronize All Offline Files When Logging Off 411 Synchronize All Offline Files Before Suspend 411 Action on Server Disconnect 412 Nondefault Server Disconnect Actions 412 Remove "Make Available Offline" 412 Prevent Use of Offline Files Folder 413 Administratively Assigned Offline Files 413 Turn off Reminder Balloons 414
Table of Contents xv
Reminder Balloon Frequency 415 Initial Reminder Balloon Lifetime 415 Reminder Balloon Lifetime 415 Event Logging Level 416 Prohibit "Make Available Offline" for These
File and Folders 416 Do Not Automatically Make Redirected Folders
Available Offline 417 Using Group Policy to Configure Offline Files (Exclusive
to the Computer Node) 417 Allow or Disallow Use of the Offline Files Feature 417 Default Cache Size 418 Files Not Cached 418 At Logoff, Delete Local Copy of User's Offline Files 419 Subfolders Always Available Offline 419 Encrypt the Offline Files Cache 420 Configure Slow Link Speed 421 Disk Quotas 421 Quotas and Groups 424 Designing and Implementing a Quota Strategy 424 Import and Export Quota Entries 427 Using Group Policy to Affect Quotas 428 Final Thoughts 430 Chapter 10 IntelliMirror, Part 2: Software Deployment
via Group Policy 431 GPSI Overview 431 The Windows Installer Service 432 Understanding .msi Packages 433 Utilizing an Existing .msi Package 434 Assigning and Publishing Applications 439 Assigning Applications 439 Publishing Applications 440 Rules of Deployment 440 Package-Targeting Strategy 441 Understanding .zap Files 446 Testing Publishing Applications to Users 448 Application Isolation 449 Advanced Published or Assigned 450 The General Tab 450 The Deployment Tab 451 The Upgrades Tab 456 The Categories Tab 457
xvi Table of Contents
The Modifications Tab 458 The Security Tab 461 Default Group Policy Software Installation Properties 461 The General Tab 463 The Advanced Tab (Windows 2003 Server Tools Only) 463 The File Extensions Tab 464 The Categories Tab 465 Removing Applications 465 Users Can Manually Change or Remove Applications 465 Automatically Removing Assigned or Published
.msi Applications 465
Forcefully Removing Assigned or Published
.msi Applications 466
Removing Published .zap Applications 468 Troubleshooting the Removal of Applications 468 Using Group Policy Software Installation over Slow Links 469
Assigning Applications to Users Over Slow
Links Using Windows 2000 470 Assigning Applications to Users over Slow
Links Using Windows XP and Windows 2003 472 Managing .msi Packages and the Windows Installer 473 Inside the MSIEXEC Tool 473 Affecting Windows Installer with Group Policy 475 GPO Targeting with WMI Filters 482 Tools (and references) of the WMI Trade 483 WMI Filter Syntax 484 Creating and Using a WMI Filter 485 Final WMI Filter Thoughts 486 Fitting Microsoft SMS into Your Environment 487 SMS Versus "In the Box" Rundown Comparison 488 GPSI and SMS Coexistence 490 Final Thoughts 490
Chapter 11 Beyond IntelliMirror: Shadow Copies and
Remote Installation Services 493
Shadow Copies 494 Setting Up Shadow Copies on the Server 494 Delivering Shadow Copies to the Client 496 Restoring Files with the Shadow Copies Client 496 Inside Remote Installation Services 499 Server Components 499 Client Components 500 Setting Up RIS Server 501
Table of Contents xvii
Loading RIS 502 Installing the Base Image 502 Authorizing Your RIS Server 504 Managing the RIS Server 505 Installing Your First Client 506 Creating a Remote Boot Disk 507 Installing Your First Client 507 The Remote Installation Prep Tool (RIPrep) 511 How to Create Your Own Automated RIS Answer Files 513 Creating a Sample Fully Automated Answer File 513 Associating an Answer File with an Image 514 Using Group Policy to Manipulate Remote
Installation Services 516 The Automatic Setup Section 516 The Custom Setup Section 517 The Restart Setup Section 518 The Tools Section 518 Final Thoughts 519
Appendix 521 Index 537
